Claranet | Compliance Informationssicherheit und Datenschutz Version: 1.7 Stand: 06.02.2018 Status: Final Klassifizierung: Intern Verantwortlich: CISO Claranet | Compliance Inhaltsverzeichnis 1. Unternehmensdarstellung ....................................................................................................... 5 2. Informationssicherheit und Datenschutz .............................................................................. 6 3. Organisational Security ........................................................................................................... 7 3.1. Sicherheits- und Notfallorganisation ................................................................................. 7 3.2. Das Modell geteilter Verantwortung ................................................................................. 9 3.2.1. Managed Cloud ........................................................................................................... 9 3.2.2. Managed Public Cloud (AWS, CGP, Azure) ............................................................. 10 3.3. Legal Compliance ........................................................................................................... 10 3.4. Informationsklassifizierung ............................................................................................. 11 3.4.1. Vertraulichkeit (Cn) .................................................................................................... 12 3.4.2. Datenschutz (Dn) ....................................................................................................... 13 3.4.3. Umgang mit klassifizierten Informationen und Datenträgern .................................... 13 3.4.4. Klassifizieren und Labeln von Informationen und Assets durch den Kunden ........... 15 3.5. Security Incident Management ....................................................................................... 15 3.5.1. Beweissicherung........................................................................................................ 16 3.6. Security Change Management ....................................................................................... 16 3.7. Administrator's operational security ................................................................................ 17 3.8. Vulnerability Management .............................................................................................. 17 3.9. Asset Management ......................................................................................................... 17 3.10. Capacity Management .................................................................................................... 17 3.11. Risk Management ........................................................................................................... 18 3.12. Business Impact Analyse ............................................................................................... 18 3.13. Security Reporting .......................................................................................................... 18 3.14. Audits und Notfalltests .................................................................................................... 19 3.15. Security Performance Evaluation ................................................................................... 19 3.16. Continual Service Improvement ..................................................................................... 19 3.17. Business Continuity und Notfallmanagement ................................................................. 20 4. Technical Security .................................................................................................................. 20 4.1. Security Configuration Management (Hardening) .......................................................... 20 4.2. Patch Management ........................................................................................................ 20 4.3. Backup und Restore ....................................................................................................... 20 Klassifizierung: Intern Version: 1.7 Status: Final Datum: 06.02.2018 Verantwortlich: CISO Seite: 2 von 34 Claranet | Compliance 4.4. Security Information und Event Management ................................................................ 21 4.4.1. Zeitsynchronisation .................................................................................................... 21 4.5. User registration and de-registration .............................................................................. 21 4.6. Privileged Access Management ..................................................................................... 22 4.6.1. Multi-Faktor-Authentifizierung .................................................................................... 23 4.7. Malware und Virus Protection......................................................................................... 24 4.8. Encryption ....................................................................................................................... 24 4.8.1. Cryptographic Platform Protection............................................................................. 26 4.9. Secure Engineering Principles ....................................................................................... 27 4.10. Network Security Management ...................................................................................... 27 4.10.1. DMZ ....................................................................................................................... 27 4.10.2. Firewall .................................................................................................................. 28 4.10.3. Web Acceleration & DoS Protection (WADP) ....................................................... 28 4.10.4. Web Application Firewall (WAF) ............................................................................ 28 4.10.5. Encrypted-MPLS.................................................................................................... 28 4.10.6. Vulnerability Scans ................................................................................................ 29 5. Physical, Environmental and Personnel Security .............................................................. 29 5.1. Niederlassungen und Rechenzentren ............................................................................ 29 5.1.1. Sicherheitszonenmodell ............................................................................................ 30 5.1.2. Office Hanauer Landstraße 184 / 196 ....................................................................... 31 5.1.3. Rechenzentren Claranet ............................................................................................ 31 5.1.4. Rechenzentren Interxion ........................................................................................... 32 5.1.5. Locations und Regions Public Cloud ......................................................................... 33 6. Konsequenzen eines Sicherheitsvorfalls ............................................................................ 33 7. Dokumentenmanagement ..................................................................................................... 34 Klassifizierung: Intern Version: 1.7 Status: Final Datum: 06.02.2018 Verantwortlich: CISO Seite: 3 von 34 Claranet | Compliance Tabellenverzeichnis Tabelle 1 - Definition der Vertraulichkeitsanforderungen ............................................................... 13 Tabelle 2 - Definition der Datenschutzanforderungen .................................................................... 13 Tabelle 3 - Speicherung von klassifizierten Informationswerten .................................................... 14 Tabelle 4 - Taggen und Labeln von Informationswerten ................................................................ 15 Tabelle 5 - Capacity Management ................................................................................................. 18 Tabelle 6 - An- und Abmeldung von Benutzern ............................................................................. 22 Tabelle 7 - Verwaltung von geheimen Authentifizierungsinformationen ........................................ 23 Tabelle 8 - Multi-Faktor-Authentifizierung ...................................................................................... 24 Tabelle 9 - Zulässige kryptographische Algorithmen ..................................................................... 26 Tabelle 10 - Cryptographic Platform Protection ............................................................................. 26 Tabelle 11 - Sicherheitszonen für sensitive Räume der Claranet .................................................. 31 Tabelle 12 - Dokumentenhistorie ................................................................................................... 34 Abbildungsverzeichnis Abbildung 1 - Organigramm der Sicherheitsorganisation ................................................................ 8 Abbildung 2 - Shared Responsibility der Managed Cloud ................................................................ 9 Abbildung 3 - Shared Responsibility der Managed Public Clouds ................................................. 10 Abbildung 4 - Niederlassungen der Claranet Gruppe .................................................................... 29 Abbildung 5 - Sicherheitszonenmodell der Claranet .....................................................................